Typescript Hardcoded Test Credentials
Description
Identifies hardcoded credentials (like passwords, API keys, tokens) within test files and test directories. This poses a security risk as test credentials may be accidentally deployed or leaked, potentially exposing sensitive authentication information that could be exploited by attackers.
Detection Strategy
• Scans source code files within test directories or files with test-related naming patterns (e.g. *test.js, *spec.py)
• Searches for string literals and variable assignments containing sensitive credential patterns like passwords, tokens, and API keys
• Reports vulnerabilities when credentials are directly embedded as string constants rather than being loaded from secure configuration or environment variables
Vulnerable code example
import frisby from 'frisby';
const REST_URL = 'http://localhost:3000/rest';
describe('/rest/user/login', () => {
it('should login with hardcoded credentials', async () => {
await frisby.post(`${REST_URL}/user/login`, {
headers: { 'content-type': 'application/json' },
body: {...✅ Secure code example
import frisby from 'frisby';
const REST_URL: string = process.env.API_URL ?? 'http://localhost:3000/rest';
describe('/rest/user/login', () => {
it('should login with test credentials', async () => {
// Load credentials from environment variables for testing
const testEmail = process.env.TEST_USER_EMAIL as string;
const testPassword = process.env.TEST_PASSWORD as string;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.